draft-ietf-ldapbis-models-13.txt   draft-ietf-ldapbis-models-14.txt 
INTERNET-DRAFT Editor: Kurt D. Zeilenga INTERNET-DRAFT Editor: Kurt D. Zeilenga
Intended Category: Standard Track OpenLDAP Foundation Intended Category: Standard Track OpenLDAP Foundation
Expires in six months 9 February 2005 Expires in six months 21 February 2005
Obsoletes: RFC 2251, RFC 2252, RFC 2256 Obsoletes: RFC 2251, RFC 2252, RFC 2256, RFC 3674
LDAP: Directory Information Models LDAP: Directory Information Models
<draft-ietf-ldapbis-models-13.txt> <draft-ietf-ldapbis-models-14.txt>
Status of this Memo Status of this Memo
This document is intended to be published as a Standard Track RFC. This document is intended to be published as a Standard Track RFC.
Distribution of this memo is unlimited. Technical discussion of this Distribution of this memo is unlimited. Technical discussion of this
document will take place on the IETF LDAP Revision Working Group document will take place on the IETF LDAP Revision Working Group
mailing list <ietf-ldapbis@openldap.org>. Please send editorial mailing list <ietf-ldapbis@openldap.org>. Please send editorial
comments directly to the editor <Kurt@OpenLDAP.org>. comments directly to the editor <Kurt@OpenLDAP.org>.
By submitting this Internet-Draft, I accept the provisions of Section By submitting this Internet-Draft, I accept the provisions of Section
skipping to change at page 2, line 28 skipping to change at page 2, line 28
1.1. Relationship to Other LDAP Specifications 1.1. Relationship to Other LDAP Specifications
1.2. Relationship to X.501 4 1.2. Relationship to X.501 4
1.3. Conventions 1.3. Conventions
1.4. Common ABNF Productions 1.4. Common ABNF Productions
2. Model of Directory User Information 6 2. Model of Directory User Information 6
2.1. The Directory Information Tree 7 2.1. The Directory Information Tree 7
2.2. Structure of an Entry 2.2. Structure of an Entry
2.3. Naming of Entries 8 2.3. Naming of Entries 8
2.4. Object Classes 9 2.4. Object Classes 9
2.5. Attribute Descriptions 12 2.5. Attribute Descriptions 12
2.6. Alias Entries 15 2.6. Alias Entries 16
3. Directory Administrative and Operational Information 17 3. Directory Administrative and Operational Information 17
3.1. Subtrees 3.1. Subtrees
3.2. Subentries 3.2. Subentries 18
3.3. The 'objectClass' attribute 18 3.3. The 'objectClass' attribute
3.4. Operational attributes 19 3.4. Operational attributes 19
4. Directory Schema 20 4. Directory Schema 22
4.1. Schema Definitions 23 4.1. Schema Definitions 23
4.2. Subschema Subentries 30 4.2. Subschema Subentries 32
4.3. 'extensibleObject' 35 4.3. 'extensibleObject' 35
4.4. Subschema Discovery 4.4. Subschema Discovery 36
5. DSA (Server) Informational Model 36 5. DSA (Server) Informational Model
5.1. Server-specific Data Requirements 5.1. Server-specific Data Requirements 37
6. Other Considerations 39 6. Other Considerations 40
6.1. Preservation of User Information 40 6.1. Preservation of User Information 41
6.2. Short Names 6.2. Short Names
6.3. Cache and Shadowing 41 6.3. Cache and Shadowing
7. Implementation Guidelines 7. Implementation Guidelines 42
7.1. Server Guidelines 7.1. Server Guidelines
7.2. Client Guidelines 7.2. Client Guidelines
8. Security Considerations 42 8. Security Considerations 43
9. IANA Considerations 9. IANA Considerations
10. Acknowledgments 43 10. Acknowledgments 44
11. Editor's Address 11. Editor's Address
12. References 44 12. References
12.1. Normative References 12.1. Normative References 45
12.2. Informative References 45 12.2. Informative References
Appendix A. Changes Appendix A. Changes
Intellectual Property Rights 50 Intellectual Property Rights 51
Full Copyright Full Copyright
1. Introduction 1. Introduction
This document discusses the X.500 Directory Information Models This document discusses the X.500 Directory Information Models
[X.501], as used by the Lightweight Directory Access Protocol (LDAP) [X.501], as used by the Lightweight Directory Access Protocol (LDAP)
[Roadmap]. [Roadmap].
The Directory is "a collection of open systems cooperating to provide The Directory is "a collection of open systems cooperating to provide
directory services" [X.500]. The information held in the Directory is directory services" [X.500]. The information held in the Directory is
skipping to change at page 4, line 7 skipping to change at page 4, line 7
adapted for use in LDAP. Specification of how these models apply to adapted for use in LDAP. Specification of how these models apply to
LDAP is left to future documents. LDAP is left to future documents.
1.1. Relationship to Other LDAP Specifications 1.1. Relationship to Other LDAP Specifications
This document is a integral part of the LDAP technical specification This document is a integral part of the LDAP technical specification
[Roadmap] which obsoletes the previously defined LDAP technical [Roadmap] which obsoletes the previously defined LDAP technical
specification, RFC 3377, in its entirety. specification, RFC 3377, in its entirety.
This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as This document obsoletes RFC 2251 sections 3.2 and 3.4, as well as
portions of sections 4 and 6. Appendix A.1 summaries changes to these portions of sections 4 and 6. Appendix A.1 summarizes changes to
sections. The remainder of RFC 2251 is obsoleted by the [Protocol], these sections. The remainder of RFC 2251 is obsoleted by the
[AuthMeth], and [Roadmap] documents. [Protocol], [AuthMeth], and [Roadmap] documents.
This document obsoletes RFC 2252 sections 4, 5 and 7. Appendix A.2 This document obsoletes RFC 2252 sections 4, 5 and 7. Appendix A.2
summaries changes to these sections. The remainder of RFC 2252 is summarizes changes to these sections. The remainder of RFC 2252 is
obsoleted by [Syntaxes]. obsoleted by [Syntaxes].
This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2. This document obsoletes RFC 2256 sections 5.1, 5.2, 7.1 and 7.2.
Appendix A.3 summarizes changes to these sections. The remainder of Appendix A.3 summarizes changes to these sections. The remainder of
RFC 2256 is obsoleted by [Schema] and [Syntaxes]. RFC 2256 is obsoleted by [Schema] and [Syntaxes].
This document obsoletes RFC 3674 in its entirety. Appendix A.4
summarizes changes since RFC 3674.
1.2. Relationship to X.501 1.2. Relationship to X.501
This document includes material, with and without adaptation, from This document includes material, with and without adaptation, from
[X.501] as necessary to describe this protocol. These adaptations [X.501] as necessary to describe this protocol. These adaptations
(and any other differences herein) apply to this protocol, and only (and any other differences herein) apply to this protocol, and only
this protocol. this protocol.
1.3. Conventions 1.3. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 8, line 13 skipping to change at page 8, line 16
zero options) and one or more associated values. zero options) and one or more associated values.
The attribute type governs whether the attribute can have multiple The attribute type governs whether the attribute can have multiple
values, the syntax and matching rules used to construct and compare values, the syntax and matching rules used to construct and compare
values of that attribute, and other functions. Options indicate values of that attribute, and other functions. Options indicate
subtypes and other functions. subtypes and other functions.
Attribute values conform to the defined syntax of the attribute type. Attribute values conform to the defined syntax of the attribute type.
No two values of an attribute may be equivalent. Two values are No two values of an attribute may be equivalent. Two values are
considered equivalent only if they would match according to the considered equivalent if and only if they would match according to the
equality matching rule of the attribute type. If the attribute type equality matching rule of the attribute type or, if the attribute type
is defined with no equality matching rule, two values are equivalent is defined with no equality matching rule, two values are equivalent
if and only if they are identical. (See 2.5.1 for other if and only if they are identical. (See 2.5.1 for other
restrictions.) restrictions.)
For example, a 'givenName' attribute can have more than one value, For example, a 'givenName' attribute can have more than one value,
they must be Directory Strings, and they are case insensitive. A they must be Directory Strings, and they are case insensitive. A
'givenName' attribute cannot hold both "John" and "JOHN" as these are 'givenName' attribute cannot hold both "John" and "JOHN" as these are
equivalent values per the equality matching rule of the attribute equivalent values per the equality matching rule of the attribute
type. type.
Additionally, no attribute is to have a value which is not equivalent
to itself. For example, the 'givenName' attribute cannot have as a
value a directory string which includes the REPLACEMENT CHARACTER
(U+FFFD) code point as matching involving that directory string is
Undefined per this attribute's equality matching rule.
When an attribute is used for naming of the entry, one and only one When an attribute is used for naming of the entry, one and only one
value of the attribute is used in forming the Relative Distinguished value of the attribute is used in forming the Relative Distinguished
Name. This value is known as a distinguished value. Name. This value is known as a distinguished value.
2.3. Naming of Entries 2.3. Naming of Entries
2.3.1. Relative Distinguished Names 2.3.1. Relative Distinguished Names
Each entry is named relative to its immediate superior. This relative Each entry is named relative to its immediate superior. This relative
name, known as its Relative Distinguished Name (RDN) [X.501], is name, known as its Relative Distinguished Name (RDN) [X.501], is
skipping to change at page 13, line 11 skipping to change at page 13, line 23
If no equality matching is specified for the attribute type: If no equality matching is specified for the attribute type:
- the attribute (of the type) cannot be used for naming; - the attribute (of the type) cannot be used for naming;
- when adding the attribute (or replacing all values), no two values - when adding the attribute (or replacing all values), no two values
may be equivalent (see 2.2); may be equivalent (see 2.2);
- individual values of a multi-valued attribute are not to be - individual values of a multi-valued attribute are not to be
independently added or deleted; independently added or deleted;
- attribute value assertions (such as matching in search filters and - attribute value assertions (such as matching in search filters and
comparisons) using values of such a type cannot be performed. comparisons) using values of such a type cannot be performed.
Otherwise, the equality matching rule is to be used for the purposes Otherwise, the specified equality matching rule is to be used for the
of evaluating attribute value assertions concerning the attribute purposes of evaluating attribute value assertions concerning the
type. attribute type. The specified equality rule is to be transitive and
commutative.
The attribute type indicates whether the attribute is a user attribute The attribute type indicates whether the attribute is a user attribute
or an operational attribute. If operational, the attribute type or an operational attribute. If operational, the attribute type
indicates the operational usage and whether the attribute is indicates the operational usage and whether the attribute is
modifiable by users or not. Operational attributes are discussed in modifiable by users or not. Operational attributes are discussed in
Section 3.4. Section 3.4.
An attribute type (a subtype) may derive from a more generic attribute An attribute type (a subtype) may derive from a more generic attribute
type (a direct supertype). The following restrictions apply to type (a direct supertype). The following restrictions apply to
subtyping: subtyping:
skipping to change at page 27, line 31 skipping to change at page 27, line 46
NAME <qdescrs> are short names (descriptors) identifying this NAME <qdescrs> are short names (descriptors) identifying this
matching rule; matching rule;
DESC <qdstring> is a short descriptive string; DESC <qdstring> is a short descriptive string;
OBSOLETE indicates this matching rule is not active; OBSOLETE indicates this matching rule is not active;
SYNTAX identifies the assertion syntax (the syntax of the assertion SYNTAX identifies the assertion syntax (the syntax of the assertion
value) by object identifier; and value) by object identifier; and
<extensions> describe extensions. <extensions> describe extensions.
4.1.4. Matching Rule Uses 4.1.4. Matching Rule Uses
A matching rule use lists the attributes which are suitable for use A matching rule use lists the attribute types which are suitable for
with an extensibleMatch search filter. use with an extensibleMatch search filter.
Matching rule use descriptions are written according to the following Matching rule use descriptions are written according to the following
ABNF: ABNF:
MatchingRuleUseDescription = LPAREN WSP MatchingRuleUseDescription = LPAREN WSP
numericoid ; object identifier numericoid ; object identifier
[ SP "NAME" SP qdescrs ] ; short names (descriptors) [ SP "NAME" SP qdescrs ] ; short names (descriptors)
[ SP "DESC" SP qdstring ] ; description [ SP "DESC" SP qdstring ] ; description
[ SP "OBSOLETE" ] ; not active [ SP "OBSOLETE" ] ; not active
SP "APPLIES" SP oids ; attribute types SP "APPLIES" SP oids ; attribute types
skipping to change at page 37, line 28 skipping to change at page 37, line 42
Additional attributes may be defined in other documents. Additional attributes may be defined in other documents.
- altServer: alternative servers; - altServer: alternative servers;
- namingContexts: naming contexts; - namingContexts: naming contexts;
- supportedControl: recognized LDAP controls; - supportedControl: recognized LDAP controls;
- supportedExtension: recognized LDAP extended operations; - supportedExtension: recognized LDAP extended operations;
- supportedFeatures: recognized LDAP features;
- supportedLDAPVersion: LDAP versions supported; and - supportedLDAPVersion: LDAP versions supported; and
- supportedSASLMechanisms: recognized Simple Authentication and - supportedSASLMechanisms: recognized Simple Authentication and
Security Layers (SASL) [SASL] mechanisms. Security Layers (SASL) [SASL] mechanisms.
The values provided for these attributes may depend on The values provided for these attributes may depend on
session-specific and other factors. For example, a server supporting session-specific and other factors. For example, a server supporting
the SASL EXTERNAL mechanism might only list "EXTERNAL" when the the SASL EXTERNAL mechanism might only list "EXTERNAL" when the
client's identity has been established by a lower level. See client's identity has been established by a lower level. See
[AuthMeth]. [AuthMeth].
skipping to change at page 39, line 31 skipping to change at page 39, line 47
Procedures for registering object identifiers used to discovery of Procedures for registering object identifiers used to discovery of
protocol mechanisms are detailed in BCP 64 [BCP64bis]. protocol mechanisms are detailed in BCP 64 [BCP64bis].
( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
USAGE dSAOperation ) USAGE dSAOperation )
The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax is
defined in [Syntaxes]. defined in [Syntaxes].
5.1.5. 'supportedLDAPVersion' 5.1.5. 'supportedFeatures'
The 'supportedFeatures' attribute lists object identifiers identifying
elective features which the server supports. If the server does not
support any discoverable elective features, this attribute will be
absent.
( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
USAGE dSAOperation )
Procedures for registering object identifiers used to discovery of
protocol mechanisms are detailed in BCP 64 [BCP64bis].
The OBJECT IDENTIFIER (1.3.6.1.4.1.1466.115.121.1.38) syntax and
objectIdentifierMatch matching rule are defined in [Syntaxes].
5.1.6. 'supportedLDAPVersion'
The 'supportedLDAPVersion' attribute lists the versions of LDAP which The 'supportedLDAPVersion' attribute lists the versions of LDAP which
the server supports. the server supports.
( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE dSAOperation ) USAGE dSAOperation )
The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in The INTEGER (1.3.6.1.4.1.1466.115.121.1.27) syntax are defined in
[Syntaxes]. [Syntaxes].
5.1.6. 'supportedSASLMechanisms' 5.1.7. 'supportedSASLMechanisms'
The 'supportedSASLMechanisms' attribute lists the SASL mechanisms The 'supportedSASLMechanisms' attribute lists the SASL mechanisms
[SASL] which the server recognizes and/or supports [AuthMeth]. The [SASL] which the server recognizes and/or supports [AuthMeth]. The
contents of this attribute may depend on the current session state. contents of this attribute may depend on the current session state.
If the server does not support any SASL mechanisms this attribute will If the server does not support any SASL mechanisms this attribute will
not be present. not be present.
( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms' ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE dSAOperation ) USAGE dSAOperation )
skipping to change at page 43, line 34 skipping to change at page 44, line 23
modifiersName A 2.5.18.4 modifiersName A 2.5.18.4
modifyTimestamp A 2.5.18.2 modifyTimestamp A 2.5.18.2
nameForms A 2.5.21.7 nameForms A 2.5.21.7
namingContexts A 1.3.6.1.4.1.1466.101.120.5 namingContexts A 1.3.6.1.4.1.1466.101.120.5
objectClass A 2.5.4.0 objectClass A 2.5.4.0
objectClasses A 2.5.21.6 objectClasses A 2.5.21.6
subschema O 2.5.20.1 subschema O 2.5.20.1
subschemaSubentry A 2.5.18.10 subschemaSubentry A 2.5.18.10
supportedControl A 1.3.6.1.4.1.1466.101.120.13 supportedControl A 1.3.6.1.4.1.1466.101.120.13
supportedExtension A 1.3.6.1.4.1.1466.101.120.7 supportedExtension A 1.3.6.1.4.1.1466.101.120.7
supportedFeatures A 1.3.6.1.4.1.4203.1.3.5
supportedLDAPVersion A 1.3.6.1.4.1.1466.101.120.15 supportedLDAPVersion A 1.3.6.1.4.1.1466.101.120.15
supportedSASLMechanisms A 1.3.6.1.4.1.1466.101.120.14 supportedSASLMechanisms A 1.3.6.1.4.1.1466.101.120.14
top O 2.5.6.0 top O 2.5.6.0
10. Acknowledgments 10. Acknowledgments
This document is based in part on RFC 2251 by M. Wahl, T. Howes, and This document is based in part on RFC 2251 by M. Wahl, T. Howes, and
S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S. Kille; and S. Kille; RFC 2252 by M. Wahl, A. Coulbeck, T. Howes, S. Kille; and
RFC 2556 by M. Wahl, all products of the IETF Access, Searching and RFC 2556 by M. Wahl, all products of the IETF Access, Searching and
Indexing of Directories (ASID) Working Group. This document is also Indexing of Directories (ASID) Working Group. This document is also
skipping to change at page 45, line 44 skipping to change at page 46, line 34
-- Overview of concepts, models and services," -- Overview of concepts, models and services,"
X.500(1993) (also ISO/IEC 9594-1:1994). X.500(1993) (also ISO/IEC 9594-1:1994).
[X.501] International Telecommunication Union - [X.501] International Telecommunication Union -
Telecommunication Standardization Sector, "The Directory Telecommunication Standardization Sector, "The Directory
-- Models," X.501(1993) (also ISO/IEC 9594-2:1994). -- Models," X.501(1993) (also ISO/IEC 9594-2:1994).
[X.680] International Telecommunication Union - [X.680] International Telecommunication Union -
Telecommunication Standardization Sector, "Abstract Telecommunication Standardization Sector, "Abstract
Syntax Notation One (ASN.1) - Specification of Basic Syntax Notation One (ASN.1) - Specification of Basic
Notation", X.680(1997) (also ISO/IEC 8824-1:1998). Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
12.2. Informative References 12.2. Informative References
None. None.
Appendix A. Changes Appendix A. Changes
This appendix is non-normative. This appendix is non-normative.
This document amounts to nearly a complete rewrite of portions of RFC This document amounts to nearly a complete rewrite of portions of RFC
skipping to change at page 50, line 11 skipping to change at page 51, line 4
Section 5.2 of RFC 2256 provided the definition of the Section 5.2 of RFC 2256 provided the definition of the
'aliasedObjectName' attribute type. This was integrated into 'aliasedObjectName' attribute type. This was integrated into
Section 2.6.2 of this document. Section 2.6.2 of this document.
Section 7.1 of RFC 2256 provided the definition of the 'top' object Section 7.1 of RFC 2256 provided the definition of the 'top' object
class. This was integrated into Section 2.4.1 of this document. class. This was integrated into Section 2.4.1 of this document.
Section 7.2 of RFC 2256 provided the definition of the 'alias' Section 7.2 of RFC 2256 provided the definition of the 'alias'
object class. This was integrated into Section 2.6.1 of this object class. This was integrated into Section 2.6.1 of this
document. document.
A.4 Changes to RFC 3674
This document made no substantive change to the 'supportedFeatures'
technical specification provided in RFC 3674.
Intellectual Property Rights Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be found on the procedures with respect to rights in RFC documents can be found
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/